Removing LUKS encryption from a root device in-place

How to remove LUKS encryption from a root device in-place

Removing LUKS encryption from a root device in-place

The idea here is to boot into the initial ramdisk (initramfs / initrd) and use the cryptsetup-reencrypt tool in order to decrypt the /root FS backing device be it a physical volume in LVM or just a partition with filesystem in-place and remove the LUKS header.

  1. Boot Ubuntu with the break=mount kernel argument.

I haven't tested the CentOS/RHEL,
but you would probably need to pass rd.break=mount kernel argument.

2. Unlock your LUKS device

cryptsetup luksOpen /dev/sda5 sda5-dec

3. Activate your volume group

vgchange -ay

4. Mount your root FS

mount -o ro /dev/mapper/vg--workstation-root /root

5. Copy the reencrypt tool

cp /root/usr/sbin/cryptsetup-reencrypt /usr/sbin

6. Deactivate your LUKS device

umount /root
vgchange -an
cryptsetup luksClose sda5-dec

7. Decrypt your LUKS device

cryptsetup-reencrypt --decrypt /dev/sda5

8. Activate the volume group and mount your root FS again

vgchange -ay
mount /dev/mapper/vg--workstation-root /root

9. chroot into your volume

mount --bind /dev /root/dev
chroot /root /bin/bash
mount -t proc none /proc
mount -t sysfs none /sys
mount -t devpts none /dev/pts

10. Clear the crypttab file

> /etc/crypttab

11. Update the initramfs

mount /boot
update-initramfs -u
umount /boot

12. Exit chroot environment

umount /dev/pts
umount /sys
umount /proc
umount /root/dev
umount /root

13. Deactivate your LVM device

vgchange -an
reboot -f